Answered by:

Windows 7 PCs on Server 2003. Help a rookie understand please!

Question

Hi There,
So I'm having a lot of drama's installing 2 new Windows 7 workstations into a Windows Server 2003 SP2 environment and hope somebody can push me in the right direction. I'll try to summarize the environment and issue, and give some specific questions I have
about this process, as I am quite new to it all.

At a small school we have 2 Server 2003 SP2 servers, one for curriculum, one for administration which are linked together (in a 'forest'??)
The admin office had some old XP machines, which I am replacing with 2 windows 7 pro machines. My process was as follows:
- Create a new admin computer in AD ('admin4' for example)
- Rename computer to 'admin4' and add to administration domain instead of default workgroup.
- Add 'admin4' to dnsmgmt on administration server, assigning IP address Host + Pointer

Result: I can login to accounts on the administration domain and access the internet, shared file directories and shared printer on administration domain.

PROBLEMS:
- I cannot access any accounts or shared printers on the curriculum domain. I am unable to ping the curriculum server or attached printers.
- UAC pops up for every action, even though the user is an administrator. I can use the domain administration account to elevate this, but it still pops up each time
I have tried using one pc to install RSAT and use a GPO manager to remove UAC, however the results are the UAC prompt does not display, it just errors with varying messages of 'user does not have sufficient privileges.'

Also, there are already a couple Windows 7 machines attached to the curriculum network that function correctly, so I feel like I'm just missing a step in this process somewhere maybe... Any help or ideas would be greatly appreciated. I can post more info as
people request it.

- Im sure this is a stupid question, but, in the DNS management console, under properties->security of a computer. For eg. 'Admin1' will have a listing of 'Admin1$' which has full read/write access, and this is also listed as the owner. However the new computers
I add do not have this, and have SYSTEM listed as the owner. What would be the ComputerName$ group that I can see on all of these??

That will do for now. Let me know If you need more specific info in any area.

Answers

OK, so, thanks so much for pointing out that I hadn't done anything specifically wrong, as I was doubting that and investigating the wrong areas. I had activated a group policy early on that was suggested elsewhere that was preventing access to the curriculum
network. Disabling this has resolved that issue.
I can now access the shared files and printers (though no driver for win7 64bit)
Still need to sort out the UAC problem, but at least it now shows up so I can elevate it when required.
Will update after today and mark the issue as resolved

UPDATE
All problems resolved now. Of course it was a simple issue all along
- A group policy setting on the server was preventing access to the curriculum network
- With access to curriculum network I could add printers and update with x64 drivers
- UAC was set to auto elevate by adding the user to the local machine as administrator while logged in as domain administrator

Hey thanks, I will try and do this as soon as possible. Might run in tomorrow and get an ipconfig /all print out and post here. I believe though, I was able to ping the 'administration' domain controller, but not 'curriculum'

I can't get into the office for a couple other days so if anyone has any other input feel free to chime in also with anything I can research/consider. Also If anyone can let me know what the security group 'computername$' is likely reference to that would
be great. Thanks!

please post the used domain name in AD UC, the NEtBios domain name and the domain name shown in the DNS management console from each of the domains.

Maybe there is no trust so you cannot use resources from the other domain.

An unedited ipconfig /all from each server and a client from each network will be helpful also.

Normally there is no need to pre-creaete computer accounts in AD, just add the machine to the domain and it will be automatically use the machine name and place it in AD UC computers container from where you can move it to the required OU in AD UC.

I don't have all the info you requested on hand, but I'll post what info I can, I have some ipconfig printouts.

Right off the bat I am noticing the new machines are missing addresses in the 'DNS Suffix Search List'. I imagine this is likely the cause of the missing connection from the admin domain to the curriculum domain?
I was short on time, but could not see where these were set. Is this likely to be done in group policy? And should that have populated to the new PC's automatically? There were no settings in TCP/IP on the working PC's.

So far when I have added new machines, they have not worked till I create a new computer manually in AD. Might need to look into that further.

Hi, I'm still getting my head around the system so I am not completely sure. Am only there once a week so will need to look into it in a couple days. But if I have some ideas that I can work through to try and resolve and save time that would be great
They don't seem to be in the same forest, as in I cannot see any reference to curriculum.local in dnsmgmt or AD. Would I likely need to look in the DNS settings to find this out?
Computers on curriculum.local have no access to the administration network, but the administration domain PC's should have access to the printers and such on curriculum..

ADMINISTRATION4 for the most part does work on administration.XXXXXXX.XXXXX.XXXXXXXX.edu.au
The only 2 issues I'm having now are:
- Unable to access Printers or files curriculum.local
- Users who should have full administration rights, and do so on the WinXP machines, are unable to perform any function locked down by UAC win Win7. Errors such as 'user does not have privilege to perform this task'

The only 2 issues I'm having now are:
- Unable to access Printers or files curriculum.local
How do you connect to the domain shares and printer?

- Users who should have full administration rights, and do so on the WinXP machines, are unable to perform any function locked down by UAC win Win7. Errors such as 'user does not have privilege to perform this task' Is this
about the other domain or on the administration.x.x..x.xx. domain?

How do you connect to the domain shares and printer?
They are just mapped network drives or shared printers.
Eg. \\10.129.180.17\students (I would need to check what the exact IP is)
With the pc that is working I can simply add new shared network printer by name eg 'Photocopier' or \\10.129.180.17\Photocopier
(Let me know if this isnt what you mean sorry...)

Is this about the other domain or on the administration.x.x..x.xx. domain?
This is on the administration.XXXXXXX.XXXXX.XXXXXXXX.edu.au domain
So a separate issue to the network shares. I can access shared files and printers on administration.XXXXXXX.XXXXX.XXXXXXXX.edu.au with no problems

which complete error message is shown when you use Eg.
\\10.129.180.17\students to connect? This way should work if no firewall prevent access, of course as it is on another domain/forest you would be asked for domain\username and password with permissions on the folder.

UAC on Windows 7 require to work with RUNAS(elevated permissions) even for administrators, so please try again with rightclick and choose RUNAS.

Hi, I am quite sure it is 'Windows cannot access \\10.129.180.17\students -- Check the spelling of the name etc etc.' when trying to map a drive. When entering straight into explorer it is the same
I will have to confirm this tomorrow when I have access to the systems however.
When trying to add a printer from the curriculum network but using its name, I'm pretty sure I receive the error 'Connect to Printer -- Windows couldn't connect to the printer. Check the printer name and try again. If this is a network printer, make sure
that the printer is turned on, and that the printer address is correct'

I can try both of these things tomorrow and post back if I am still unable to resolve. If you have any ideas on which areas are best to troubleshoot that would be great! Ill try the things you mentioned and check firewall etc and post back with results.

OK, so, thanks so much for pointing out that I hadn't done anything specifically wrong, as I was doubting that and investigating the wrong areas. I had activated a group policy early on that was suggested elsewhere that was preventing access to the curriculum
network. Disabling this has resolved that issue.
I can now access the shared files and printers (though no driver for win7 64bit)
Still need to sort out the UAC problem, but at least it now shows up so I can elevate it when required.
Will update after today and mark the issue as resolved

UPDATE
All problems resolved now. Of course it was a simple issue all along
- A group policy setting on the server was preventing access to the curriculum network
- With access to curriculum network I could add printers and update with x64 drivers
- UAC was set to auto elevate by adding the user to the local machine as administrator while logged in as domain administrator

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.